SQ01 authorization

Similar Messages

• Query (SQ01): Variant authorization

  Hello experts,
  I made a query from SQ01.
  I want create a variant on this query but with only authorization to specific user.
  How can I restric authorization to one variant of query in order that can only be executed by specific user ?
  Example:
  SQ01 query name: Z_QUERY_1
  Variant name: V1_Q_1
  User:  USER1
  Only user USER1 must have authorization to execute variant V1_Q_1
  Regards,
  Juan

  Hi
  Refer the below url
  [User-specific Selection Variables  |http://help.sap.com/saphelp_nw70/helpdata/en/c0/98039ee58611d194cc00a0c94260a5/content.htm]
  [Query|http://goldenink.com/abap/sap_query.html]

• Field based authorization in Query SQ01

  Hi SAP Gurus
  I have made a query via SQ01 . Now i have assigned two users to execute the query but both these users are from different companies and able to execute the query for another company also which is not correct .
  What i want to do is to restrict company code in accordance to user id of the respective person .
  We do not have an abapper currently ? Can anyone help me with this ?
  Regards
  Hitesh

  Hi,
  You can  restrict the users from accessing the query from infoset with standard/custom authorization authorization for company code.
  if company code selection field is defined inside the infoset,then authorization check can be implemented in at selection screen event inside the infoset.
  if the company code selection field is defined in query level,then we can implement authorization check at start-of-selection event in infoset.
  Regards
  Shibino

• Authorization to fetch data from SQ01

  Dear experts,
  We have one template here, shared all over the world in 20 countries.
  I have created a query in SQ01 and want to authorization to each countries for the report related their entities only, e.g for Malaysia User, they can fetch SO numbers from Sales Org- MY01 to MY50 only and can not fetch the data from Singapore (SG01 to SG50).
  How can I restrict the users by any authorization object? Is is possible in SQ01??
  Regards,
  Praveen

  Hi Praveen,
  You can include authorisation checks in the Infoset for the query, your development team will be able to help you with this.  Those restrictions will apply to all queries derived from that infoset.
  Regards
  Alex

• AHDOC Query sq01 problem

  Hi All,
  I have a requirement to create adhoc query in which I cannot use logical database PNP in infoset, so I have to use joind for different infotype tables.
  I have to create an infoset in SQ02 for quite a few tables, PA0000, PA0001, PA0002, PA0006, PA0041, PA00105 and just a few to name.
  1. Now, how do I create join? If I put a join on pernr of each table then it will bring me multiple rows of history of all infotypes involved.
  2. How do I put dates on selection screen, there will be begda and endda in each infotype, I would need only records that are active from each infotype.
  3. Do I need to join on begda and endda on each infotype? I dont think so.
  Most importantly, can it be acieved through SQ01 or I am barking up the wrong tree?
  Thanks for help, and I will award points for all usefull answers.
  ~ Monkey.

  First make yourself clear what you have to do if you do not use LDB:
  1. Time calculation and split handling
  This will be the first challenge. Imagine 5 Infotpyes with 3-5 time intervals each and its split calculation and handling.
  2. Authorization check.
  You have to ensure that authorization check is done right the same as in the rest of HR. Of course with direct selects you have to reprogram everything that is there for PA and PD side
  THese two points alone are several years of development.
  3. Special handling
  There are some infotypes and fields that have special handling like repeat fields, indirect evaluation, calculated/derived values
  4. Automatic text recognition
  This is done with no effort at all in an HR InfoSet. Imagine you need to get all the texts by yourself and again with the correct time etc.
  So to be honest I think your approach is simply not feasible.
  Instead you should examine the query closer.
  No there is not always an inner join. If there is no data the fields are empty but the pernr of course is processed.
  Only if you select for this field then the pernr is skipped if the condition does not match.
  Further there are a lot of switches available please see [note 305118|https://css.wdf.sap.corp/sap/support/notes/0000305118] and the attachment HR_QUERY_GENERATOR_SWITCHES_EN.PDF for documentation of the same.
  Again you should invest time what the tools already can instead of trying to develop everything again.
  Regards,
  Michael

• Creation of Query - SQ01

  Hello All,
  Can anybody expalin in brief regarding how to write a quiery using SQ01?
  If possible can anybody send me the docs relating to this?
  Thank you,
  Regards,
  Santosh Kumar V

  Santosh - I am also new to SQ01, however I have some suggestions that hopefully will be helpful to you.  I recommend starting with the QuickViewer.  You can access this from SQ01 or via SQVi directly. 
  From here you can create your own queries (similar to local objects) which can then be converted into InfoSets/Queries in which users can access. 
  1. Enter a name + Create
  2. Give a description, decide if Data Source is a table (single) or a join (many)
  3. I assume you are creating a join.  When you select join it will take you into the tool to generate the query.  The first step is selecting (and joining) your tables.  Insert table (Shift +F1) will get you started here.  Once all your data is selected you green arrow back to select/map out your selection criteria and the data in which you wish to list in the results.
  4. You can execute from here as well to confirm your results
  5. Once you are good to go, you can easily convert this query by going back to SQ01 (select SAP Query).  Enter your QuickView query name and then in the menu path select Query --> ConvertQuickView.  This will then prompt you through the steps to convert your QuickView Query into an SAP infoset/Query. 
  6. Once you have created the SAP Query you can then assign usergroups via menu path environment --> usergroups for authorization.  This allows others to execute your query, however not create one themselves. 
  I hope this is helpful. Best of luck!

• Restriction of Tcode SQ01 based on Company code

  We are running one customized query using Tcode SQ01.  We need to restrict Tcode SQ01 in company code level.  We have checked about authorization object in st01. But there is no check of authorization object. Can anybody help to restrict SQ01 based on company code level?
  Regards
  Auroshikha

  Hi Auroshikha,
  Itu2019s very easy to maintain authorization in your Infoset Query report. I got and implemented similar requirement i.e. restriction /authorization as per company code.
  You need to use authority check for authorization object  P_ORGIN in your infoset.
  Please follow the bellow steps:
  -->Go to SQ02, Enter your Infoset name and click on Change button.
  -->Click on 'Code' (Shift+F8) icon dispalyed on application toolbar, you will be moved to Code Section of Infoset that lists different events.
  -->Choose Record Processing event from code section.
  -->Write the following code in 'Record processing' event of your Infoset.
  AUTHORITY-CHECK OBJECT 'P_ORGIN'
  *ID 'INFTY' FIELD '*'
  *ID 'SUBTY' FIELD '*'
  ID 'AUTHC' FIELD 'R' "read
  ID 'PERSA' FIELD P0001-WERKS
  *ID 'PERSG' FIELD DUMMY
  *ID 'PERSK' FIELD DUMMY
  *ID 'VDSK1' FIELD DUMMY.
  CHECK Sy-SUBRC EQ 0.
  Note: PERSA field used in this Authorization object plays an importan role , if you are in different module other that HR , then pass here table_name-companycode_field
  -->Genetare Infoset
  -->Go to SQ01 (in a new session) , Click on exeute or 'Test button' to check authorization is working for report
  Let me know if you need any more details.
  Thank you.
  Regards,
  Dinesh Tiwari

• MSS genericiview and R/3 structural authorizations

  Hi,
  I have created some iViews based on par-file "eeprofilegenericiviewtable" to display R/3-queries. In R/3 we use also structural authorizations for the managers with functional module RH_GET_MANAGER_ASSIGNMENT.
  The structural authorization is working in R/3 for a selected manager selecting a query directly from the R/3 via SQ01, but it doesn't in the iview. When the same user is viewing the "query"-iview, the message "No data selected" appears.
  When I assign the user a structural authorization without the functional module RH_GET_MANAGER_ASSIGNMENT, e.g. only with some object types, the user can retrieve data without any problem using "query"-iview.
  Probably the problem is in the functional module HR_INFO_GET_USING_QUERY used for retrieving R/3 query data from the portal and used by the iview eeprofilegenericiviewtable.
  Has anybody met a similar problem? We are using EP6.0 SP14 and SAP R/3 4.6C.
  Beata

  Hi Dwayne (and others!),
  Were facing similar problems with the error message "R3_CONNECT_FAILED". However, our difficulties are a bit strange because i only occurs on one of our two server nodes. We're running SAP EP 6.4, SP9.
  Previously, we've had problems with the maximum number of connections towards our backend system, SAP R/3. But setting the environment variable CPIC_MAX_CONV helped us.
  However, now we get the above error, but only on one of our server nodes. Do you (or anyone else) have any suggestions as to what might be wrong?
  Thanks in advance,
  Rasmus

• Using View Tables in SQ01 and SQ02, getting 'Not Authorized to Read Table'

  We are trying to use a SAP Standard View Table (CAUFV) in an SQ01 and SQ02 transaction. Even though there is no Authorization Group assigned to the View we still get "You have no authorization to read table caufv' when running the linked transaction. We tried assigning the CA and KA authorization groups to the role and got the same results. (The tables used to create the View are AFKO and AUKF and thier Authorization groups are CA and KA.) We tried other views and received the same results. Does anyone have any experience with this?

  Hello Chuck,
  There are 2 ways to restrict this
  1: The user should be a part of at least one user group to run the corresponding ABAP query. This automatically restricts the access of the user to specific functional areas, and thus the corresponding underlying logical databases.
  2: The authorization object S_QUERY should be used to give proper authorizations to the user for a query. This authorization object has a field named ACTVT, which can take values 02 for Change, 23 for Maintain and 67 for Translate.
  This value determines whether the user can create and modify the query. The possible authorizations in the object are as follows:
  S_QUERY_ALL          Change, maintain and translate query
  S_QUERY_UPD         Change and Translate

• Direct database data access without data level authorization check

  Hello,
  My customer raised issue about direct database data access. Due to the customeru2019s strong security policy, it shouldnu2019t be allowed.
  To prevent this kind of illegal data access, customer ask me to list up all the possibilities to display data without data level authorization check.
  The things in my mind are
  SQL Command Editor (for Oracle based system) : ORASPACE, DB02, ST04
  Query Based : SQVI (Quick Viewer), SQ01/SQ02/SQ03 (SAP Query)
  Data Browser : SE11, SE12, SE16, SE16N, SE17
  Table Maintenance : SM30
  Function Module : RFC_READ_TABLE
  Function Module : DB_EXECUTE_SQL (DML)
  Anyone knows anything which is not listed above?
  Thanks

  HI,
      Generally in production user's should not be given all these authorizations.
  Ram.

• Utilizing SQ01 SQ02 for user report generation of production data

  I am interested in utilizing sap query transactions SQ01, SQ02, and SQ03 to create and customize end user reports that will be used  by our audit team to analyze SAP data in our production environment. My objective would be to have one person with authorization to run SQ01,02,03 and have that user create all the reports that would be required for the team to use. This way there isn't a bunch of users out there using SQ01 indiscriminately or perhaps not using it at all. I currently have authorization to run SQVI but it is limited. From what I understand there is more flexibility with SQ01 because they allow you to create calculated fields and offer more formatting options. Most of these reports would be related to finance, sales, vendor, customer, etc.
  My question is this. How do I create these custom queries and allow multiple users to access and run them? Are the queries created directly in production? Are they created in DEV and then tested in QA before being transported to Prod? I understand you can map an sap query program to a transaction and then add that to a role but isn't the program name generated by SQ01 different in every instance? I would like this code to be reproducible as I have 5 different SAP instances in which these reports would be used. Same reports, different data.
  I am looking to leverage the power of SAP query to produce meaningful reports for our team without having to use programmers to develop them from scratch. What is the optimal approach to doing this without creating a lot of hassles and without creating additional security risks?
  If I create a query based on SAP tables I have access to does the general user also have to have authorization to those tables in order for the query to run for them? In theory the entire team should have authorization to the same standard SAP tables because we all have the same roles assigned but I may have some additional tables assigned to me because I am the IT auditor. Just confirming.
  I appreciate any and all suggestions. I would like to proceed with the best solution as soon as possible.
  Thank you very much.
  Mark

  Hi Mark,
  It is best to create queries in dev rather than doing it in prd directly.
  Query user group can be used to control the access in production.
  You can have one query administrator with access to sq01,2,3 and sqvi who will assign query user group to respective users in prd so they can run these.
  BR,
  Mangesh

• Regarding ABAP Query authorization group

  Hi Team,
  This is regarding ABAP Query!
  I have created one authorization group, for testing i have assigned my id in authorization group.
  After creation of ABAP query,standard program got generated. Now i have created one transaction code at the last for the ABAP Query.
  Now the isse is even though i have deleted my id from the authorization group. I am able to execute the query from SQ01 and with the Transaction code .
  It should not happen...i want who soever id is mapped to the transaction code ...that member should only be able to run that query, otherwise there is no use of authorization group.
  Please help me out in this case.
  Thanks & Regards,
  Anil Kumar Sahni

  Are you sure that you don't have access to that authorisation group? Execute report RSUSR002. In the 'Authorization Object 1' block inform  S_TABU_DIS in 'Auth.Object' and accept. Then inform Activity=03 and Auth.Gruop= your group.
  You will get a list of all the users which, theoretically, will be able to execute the query. If you press 'Roles' or 'Profiles' in the toolbar of the listing you will get to know why you have authorisation. May be you have the SAP_ALL profile.
  Also, one more thing to take into account: how have you created your transaction? Is it referring directly to the generated report? Then it is an error, you should execute program SAP_QUERY_CALL. Read this post: [Relate transaction to query;

• P_ABAP not skipping the authorization check

  Hi All,
  I would require your assistance on the following issue at earliest.
  HR key users are executing the HR standard reports by using the t-code S_PH0_48000509 Adhoc query and also with t-code SQ01. when they executing the reports, system has been checking their authorizations while executing the report and this execution time of report taking longer and also throwing a ABAP DUMP.
  Hence, I gone through some blogs and also sap help about the auth object P_ABAP, as stated in the help I have provide an access to the user
  with option 2 under
  P_ABAP (HR: Reporting) - Authorizations for Human Resources - SAP Library
  HR InfoSets for InfoSet Query (SAP Library - InfoSet Query)
  But system still checking the authorization against the user in both foreground and background for above t-codes. Please assist on the same
  Thanking you,
  Kotesh

  Hi,
  The P_ABAP object works with programs, in the transaction you mention, the program getting the final result is not the same as the one behing the transaction for the AdHoc query... The programs for the queries are generated because the user has to make selection for input and output.
  So from there you cannot use this simplifcation object. But if the users starts already saved queries (and not infoset), then you could find and use that specific report.
  I tried and traced myself:
  AUTH       
  P_ABAP
  RC=0  REPID=!QZZ/SAPQUERY/H0MUYLAE08141045;COARS=2;type=TR;name=S_PH0_48000509;
  AUTH       
  P_ABAP
  RC=0  REPID=SAPDBPNP;COARS=2;type=TR;name=S_PH0_48000509;
  The name of the report is generated and always starts with something like AQZZ* or !QZZ*
  But this is because they work from the Infoset.
  If you start from the SQ01 and the queries:
  AUTH       
  P_ABAP
  RC=0  REPID=AQZZ/SAPQUERY/H0CM_02========= ;COARS=2;type=TR;name=SQ01;
  AUTH       
  P_ABAP
  RC=0  REPID=SAPDBPNP;COARS=2;type=TR;name=SQ01;
  There the name of the query is fixed because the structure of the selection, the fileds  are already defined and fixed. You only choose the values to be processed.
  The name is no more generic but always the same AQZZ/SAPQUERY/H0CM_02 for:
  AQZZ  this is for a query from infoset /SAPQUERY/H0 on query CM_02
  The second line on the trace, is very dangerous to use because this would skip all HR controls in PNP programs, meaning almost all HR programs... So I do not recommand that option.
  Best regards,
  Jonathan

• SQ01, SQ02 & SQ03

  Hi,
  I am creating user groups (SQ03), infosets (SQ02) and reports (SQ01) for different departments which may access the same infosets but have their own reports. The trouble I'm having is that no matter what user logs in to SQ01 they have access to run ALL SQ01 reports regardless of whether they are members of that user group or not.
  Is there a process or a particular order in which you create the user groups, infosets and reports so that any user can only access reports belonging to their user group?
  Thanks,
  Conor

  Hi,
  Generally QUERY's are User Specific (Pertaining to USER GROUP).
  Where as Reports are Global to all, Unless you restrict them with some Explicit Authorizations.
  check this link for Authorization:
  Authorisation check in ABAP Query..

• Destrict access to SQ01

  Hello Gurus ,
  I would like some help with restraining access to users that have Tx SQ01.
  I know there are two ways to do this :
  1. With authorization objects
  2. With user groups in SQ03.
  Allthough i created user groups , in SQ01 i have still the option to go over
  SQ01> Edit>Other user groups and choose a different user group. This is probably because i have more rights . How can i be sure , or better  deactivate this option to a user that is using SQ01 so he can execute, create Queries only within a limited SAP area with the infosets that are assigned to his user group ?
  Regards,
  David (SAP Basis)

  Like Jurjen said, Securtiy SAP is not about denying but granting access carefully.
  Many user  perform daily reporting  combining different criteria and queries are to ease their their life
  You can give access only to SQ01 and deactivate S_QUERY.
  Then assign the users to to particular query user groups using SQ03 so that they may have access to execute queries which they actually need.
  When the users execute SQ01, they can see the queries for which they are authorized.
  This  is a two forked advantage.You prohibit  change access in SQ01 at the same granting access to queries which the user needs for reporting on display.
  And if you are speaking of production environments, then there is  no danger of user creating a query via SQ01 as the prd client is  normally closed for changes!
  Regards
  Deepa